< SNIP > > > squid config: > ##start wccp2.sh > #!/usr/bin/bash > > echo "Loading modules.." > modprobe -a nf_tproxy_core xt_TPROXY xt_socket xt_mark ip_gre gre > > LOCALIP="10.80.2.2" > CISCODIRIP="10.80.2.1" > #you must connect the gre tunnel to the cisco router IP identifier. > CISCOIPID="192.168.10.127" > > echo "changing routing and reverse path stuff.." > echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter > echo 1 > /proc/sys/net/ipv4/ip_forward > > echo "creating tunnel..." > iptunnel add wccp0 mode gre remote $CISCOIPID local $LOCALIP dev eth1 > ifconfig wccp0 127.0.1.1/32 up > > echo "creating routing table for tproxy..." > ip rule add fwmark 1 lookup 100 > ip route add local 0.0.0.0/0 dev lo table 100 > > echo "creating iptables tproxy rules..." > iptables -A INPUT -i lo -j ACCEPT > iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT > iptables -A FORWARD -i lo -j ACCEPT > iptables -A INPUT -s $CISCODIRIP -p udp -m udp --dport 2048 -j ACCEPT > iptables -A INPUT -i wccp0 -j ACCEPT > iptables -A INPUT -p gre -j ACCEPT > > iptables -t mangle -F > iptables -t mangle -A PREROUTING -d $LOCALIP -j ACCEPT > iptables -t mangle -N DIVERT > iptables -t mangle -A DIVERT -j MARK --set-mark 1 > iptables -t mangle -A DIVERT -j ACCEPT > iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT > iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark > 0x1/0x1 --on-port 3129 > ##end > > ##start add to squid.conf > wccp2_router 10.80.2.1 > wccp_version 2 > wccp2_rebuild_wait on > wccp2_forwarding_method gre > wccp2_return_method gre > wccp2_service standard 0 > wccp2_service dynamic 80 > wccp2_service dynamic 90 > wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 > wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source > priority=240 ports=80 > ##end > > ##cisco config > conf t > ip access-list extended wccp > permit ip 10.80.3.0 0.0.0.255 any > ip access-list extended wccp_to_inside > permit ip any 10.80.3.0 0.0.0.255 > exit > ip wccp 80 redirect-list wccp > ip wccp 90 redirect-list wccp_to_inside > !gw interface > interface FastEthernet0/0.1 > encapsulation dot1Q 1 native > ip address 192.168.10.127 255.255.255.0 > ip wccp 80 redirect out > ip wccp 90 redirect in > exit > !proxy interface > interface FastEthernet0/0.100 > encapsulation dot1Q 100 > ip address 10.80.2.1 255.255.255.0 > ip wccp redirect exclude in > exit > !clients interface > interface FastEthernet0/0.200 > encapsulation dot1Q 200 > ip address 10.80.3.1 255.255.255.0 > exit > !rotue to internet gw > ip route 0.0.0.0 0.0.0.0 192.168.10.201 > end > ##cisco config end Many thanks Eliezer. I still have the same issue in that once the packets arrive on the squid box they are not actually diverted into the squid daemon and thus fail. I have managed to find a working solution and that is to not use wccp and just built a proper gre tunnel between the squid and cisco router, the DNAT/Redirect methods then work as expected. Thanks again Wayne
